Need to setup Kerberos in my production farm

  • Article

Hello All,

It seems every time that I have a customer who wants to setup Kerberos, it is into a farm that already exists.  So I had to put these steps together for SharePoint 2010 recently for a customer and thought I would share it with all of you.

If your running Windows 2008 you need this

A Kerberos authentication fails together with the error code 0X80090302 or 0x8009030f on a computer that is running Windows Server 2008 or Windows Vista when the AES algorithm is used  (https://support.microsoft.com/kb/969083)

Articles of interest

https://www.microsoft.com/en-us/download/confirmation.aspx?id=23176

https://technet.microsoft.com/en-us/library/ff829837

https://technet.microsoft.com/en-us/library/ff607695.aspx

 

Review for known issues

https://technet.microsoft.com/en-us/library/gg502606.aspx

 

Info to gather

  1. For each Farm, For Each Web Application provide the following
    1. App Pool Account
    2. AAM's
  2. Do we need to authenticate against any sources as the user?
  3. For each SQL Instance
    1. SQL Server access account
    2. FQDN and Netbios name
    3. Port used to access instance
  4. For SSRS
    1. SSRS Web Service URL
    2. Service account

 

Steps to follow to enable Kerberos for Web Application and SSRS

 

    1. Configure DNS Record and Service Accounts to be used with SharePoint Web Applications
      1. Insure that all URL's you will be using are listed in DNS as an A Record.  If not work with your DNS administrator to create proper record type.
      2. For each Web Application perform the following
        1. Run the following commands
          1. Setspn -U -S HTTP/<AAM> <Serviceaccount>
          2. Setspn -U -S HTTP/<Netbios> <Serviceaccount>
          1. NOTE:You will have to run the command for each AAM separately except for AAM for HTTPS
    2. Set Kerberos Constrained Delegation, if needed NOTE: These steps will only work if the service account has had its SPN's created properly.
      1. Open Active Directory Users and Computers, and search each of the Service account, then perform the following steps for each of them
      2. Open Properties and click on the tab Delegation
      3. Select the check mark Expanded in bottom left corner
      4. Select Trust this user for delegation to specified services only
      5. Select Use any authentication protocol
      6. Click add button
      7. Select the Service account itself, as well as the Service account for all portals and services it will connect to
      8. Click Select All, and Click OK
      9. Once back to delegation tab select the check mark Expanded in bottom left corne
    3. Configure Web Applications
      1. Ensure Kerberos is Configured in IIS for each web site
        1. Open IIS Manager and Select Web Site
        2. Double click Authentication
        3. Select Windows Authentication
        4. Select Providers under Actions
        5. Verify that Negotiate is at the top of the list, if not Move it up.
      2. Ensure that Kernel Mode authentication is disabled
        1. Open IIS Manager and Select Web Site
        2. Double click Authentication  
        3. Select Windows Authentication
        4. Click Advanced Settings  
        5. Verify that Extended Protection is off and Kernel-mode authentication is unchecked.
      3. Configure Web Application to use Kerberos
        1. In central Admin go to Manage Web Application page
        2. Select Web Application  
        3. Click on Authentication Providers
        4. Click on Default Zone (Or Zone configured in Classic Mode)
        5. Select Negotiate (Kerberos)
      4. Verify Web App authentication is working
        1. Close all browsers on your PC, then open a new browser and connect to Web Application.
        2. Go to Security event log on each Web Front End.
        3. Look for event id 4624 (Logon).
        4. And search for Logon Process = Kerberos
        5. From your index server access Web Application.
        6. Upload an office file, perform an incremental crawl, and search for document.
    4. Configure Reporting Services
      1. Insure SQL Server is configured to use Kerberos
        1. Configure DNS and Service Account   
          1. Insure that all URL's you will be using are listed in DNS as an A Record.  If not work with your DNS administrator to create proper record type.
          2. For each instance of SQL using the SQL Service account run the following command    
            1. Run the following commands    
              1. Setspn -U -S MSSQLSVC/<FQDN>:<PORT <Serviceaccount>
              2. Setspn -U -S MSSQLSVC/<NETBIOS>:<PORT <Serviceaccount>    
          3. Reboot SharePoint Servers  
        2. Verify authentication   

          1. Run the following query against each instance of SQL

             Select s.session_id, s.login_name, s.host_name, c.auth_scheme From sys.dm_exec_connections c inner join sys.dm_exec_sessions s on c.session_id = s.session_id

          2. Review results under the
                 column Login_Name find your SharePoint Service accounts then look at
                 column auth_scheme and it should list Kerberos

    5. Configure Reporting Services to use Kerberos
      1. Configure DNS and Service Account
        1. Insure that all URL's you will be using are listed in DNS as an A Record.  If not work with your DNS administrator to create proper record type
        2. Using the SQL Reporting Service account and the URL for the reporting Web Service run the following command      
          1. Setspn -U -S HTTP/<FQDN> <Serviceaccount>
          2. Setspn -U -S HTTP/<Netbios> <ServiceAccount>   
      2. Using the SQL Reporting service account configure delegation   
        1. Open Active Directory Users and Computers, and search each of the Portal Service account, then perform the following steps for each of them.
        2. Open Properties and click on the tab Delegation
        3. Select the check mark Expanded in bottom left corner
        4. Select Trust this user for delegation to specified services only   
        5. Select Use any authentication protocol
        6. Click add button   
        7. Select the SQL Reporting Service account
        8. Click Select All, and Click OK   
        9. Once back to delegation tab select the check mark Expanded in bottom left corner
      3. Using the SQL service account configure delegation   
        1. Open Active Directory Users and Computers, and search each of the Portal Service account, then perform the following steps for each of them.
        2. Open Properties and click on the tab Delegation
        3. Select the check mark Expanded in bottom left corner
        4. Select Trust this user for delegation to specified services only
        5. Select Use any authentication protocol 
        6. Click add button
        7. Select the SQL Reporting Service account
        8. Click Select All, and Click OK   
        9. Once back to delegation tab select the check mark Expanded in bottom left corner
    6. Configure SSRS config files
      1. If you have multiple SQL Reporting servers then open the web.config file under <ProgramFile>\<SSRS> on each server and add the same machine key to each file
        1. You can generate a key using the site https://aspnetresources.com/tools/machineKey
        2. Add it to the element <System.web><MachineKey>
      2. On each SSRS server perform the following steps (Regardless if you have one server or multiple servers)
        1. Open ReportingServer.config    
          1. Change the auth type by adding <RSWindowsNegotiate/> to the element <AuthenticationTypes>
          2. Modify the element <UrlRoot> by adding the Reporting Web Service url
    7. Configure SharePoint
      1. Configure BackConnectionHostNames on all SSRS servers
        1. Following this article https://support.microsoft.com/kb/956158 add Netbios and FQDN of Reporting Web Service
        2. Reboot SSRS servers  
      2. Configure Reporting Services page in Central Admin
        1. Set the Report Server Web Service URL
        2. If you have multiple SSRS servers add each to the integration as a separate node
        3. Set the desired Server Defaults  
      3. Grant permissions to Web Applications using Reporting Service account

        1. Using Reporting Service account run the following command for each Web Application except for central admin

           $w = Get-SPWebApplication -Identity https://portal
$w.GrantAccessToProcessIdentity("vmlab\svcSQLRS")

        2.  Using Site Settings configure Site Collection to host a report

        3.  Create and publish a report to your Site Collection

Hope you find this helpful.